From ba2853caac636d2ae596d74561fa0233567242d4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=A9r=C3=A9my=20DECOOL?= <contact@jdecool.fr>
Date: Sun, 12 Feb 2017 11:01:36 +0100
Subject: [PATCH 1/1] Prevent target='_blank' vulnerability on dynamic link

---
 classes/feeds.php             | 12 ++++++------
 classes/pref/prefs.php        |  4 ++--
 include/feedbrowser.php       |  8 ++++----
 include/functions2.php        | 20 +++++++++++---------
 plugins/af_psql_trgm/init.php |  2 +-
 plugins/share/init.php        |  2 +-
 6 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/classes/feeds.php b/classes/feeds.php
index a4110938..6b96d836 100755
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -398,7 +398,7 @@ class Feeds extends Handler_Protected {
 						alt=\"Publish article\" onclick='togglePub($id)'>";
 				}
 
-#				$content_link = "<a target=\"_blank\" href=\"".$line["link"]."\">" .
+#				$content_link = "<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"".$line["link"]."\">" .
 #					$line["title"] . "</a>";
 
 #				$content_link = "<a
@@ -616,7 +616,7 @@ class Feeds extends Handler_Protected {
 						class=\"titleWrap $hlc_suffix\">
 						<a class=\"title $hlc_suffix\"
 						title=\"".htmlspecialchars($line["title"])."\"
-						target=\"_blank\" href=\"".
+						target=\"_blank\" rel=\"noopener noreferrer\" href=\"".
 						htmlspecialchars($line["link"])."\">".
 						$line["title"] .
 						"</a> <span class=\"author\">$entry_author</span>";
@@ -691,13 +691,13 @@ class Feeds extends Handler_Protected {
 
 							$tmp_line = $this->dbh->fetch_assoc($tmp_result);
 
-							$reply['content'] .= "<a target='_blank'
+							$reply['content'] .= "<a target='_blank' rel='noopener noreferrer'
 								href=' " . htmlspecialchars($tmp_line['site_url']) . "'>" .
 								$tmp_line['title'] . "</a>";
 
 							$reply['content'] .= "&nbsp;";
 
-							$reply['content'] .= "<a target='_blank' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>";
+							$reply['content'] .= "<a target='_blank' rel='noopener noreferrer' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>";
 							$reply['content'] .= "<img title='".__('Feed URL')."'class='tinyFeedIcon' src='images/pub_unset.png'></a>";
 
 							$reply['content'] .= "</div>";
@@ -746,12 +746,12 @@ class Feeds extends Handler_Protected {
 							$comments_url = htmlspecialchars($line["link"]);
 						}
 						$entry_comments = "<a class=\"postComments\"
-							target='_blank' href=\"$comments_url\">$num_comments ".
+							target='_blank' rel='noopener noreferrer' href=\"$comments_url\">$num_comments ".
 							_ngettext("comment", "comments", $num_comments)."</a>";
 
 					} else {
 						if ($line["comments"] && $line["link"] != $line["comments"]) {
-							$entry_comments = "<a class=\"postComments\" target='_blank' href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
+							$entry_comments = "<a class=\"postComments\" target='_blank' rel='noopener noreferrer' href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
 						}
 					}
 
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 9a7ab55a..ece9e807 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -776,7 +776,7 @@ class Pref_Prefs extends Handler_Protected {
 				print "<td><label><img src='images/$plugin_icon' alt=''> $name</label></td>";
 				print "<td>" . htmlspecialchars($about[1]);
 				if (@$about[4]) {
-					print " &mdash; <a target=\"_blank\" class=\"visibleLink\"
+					print " &mdash; <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\"
 						href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>";
 				}
 				print "</td>";
@@ -835,7 +835,7 @@ class Pref_Prefs extends Handler_Protected {
 				print "<td><label for='FPCHK-$name'><img src='images/$plugin_icon' alt=''> $name</label></td>";
 				print "<td><label for='FPCHK-$name'>" . htmlspecialchars($about[1]) . "</label>";
 				if (@$about[4]) {
-					print " &mdash; <a target=\"_blank\" class=\"visibleLink\"
+					print " &mdash; <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\"
 						href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>";
 				}
 				print "</td>";
diff --git a/include/feedbrowser.php b/include/feedbrowser.php
index 4772420a..ec4efe15 100644
--- a/include/feedbrowser.php
+++ b/include/feedbrowser.php
@@ -59,12 +59,12 @@
 
 				$class = ($feedctr % 2) ? "even" : "odd";
 
-				$site_url = "<a target=\"_blank\"
+				$site_url = "<a target=\"_blank\" rel=\"noopener noreferrer\"
 							href=\"$site_url\">
 							<span class=\"fb_feedTitle\">".
 				htmlspecialchars($line["title"])."</span></a>";
 
-				$feed_url = "<a target=\"_blank\" class=\"fb_feedUrl\"
+				$feed_url = "<a target=\"_blank\" rel=\"noopener noreferrer\" class=\"fb_feedUrl\"
 							href=\"$feed_url\"><img src='images/pub_set.png'
 							style='vertical-align : middle'></a>";
 
@@ -87,12 +87,12 @@
 					$archived = '';
 				}
 
-				$site_url = "<a target=\"_blank\"
+				$site_url = "<a target=\"_blank\" rel=\"noopener noreferrer\"
 							href=\"$site_url\">
 							<span class=\"fb_feedTitle\">".
 				htmlspecialchars($line["title"])."</span></a>";
 
-				$feed_url = "<a target=\"_blank\" class=\"fb_feedUrl\"
+				$feed_url = "<a target=\"_blank\" rel=\"noopener noreferrer\" class=\"fb_feedUrl\"
 							href=\"$feed_url\"><img src='images/pub_set.png'
 							style='vertical-align : middle'></a>";
 
diff --git a/include/functions2.php b/include/functions2.php
index d490ae50..96274b6a 100644
--- a/include/functions2.php
+++ b/include/functions2.php
@@ -955,6 +955,7 @@
 
 					$a->appendChild(new DOMText($entry->getAttribute('src')));
 					$a->setAttribute('target', '_blank');
+					$a->setAttribute('rel', 'noopener noreferrer');
 
 					$p->appendChild($a);
 
@@ -964,6 +965,7 @@
 
 			if (strtolower($entry->nodeName) == "a") {
 				$entry->setAttribute("target", "_blank");
+				$entry->setAttribute("rel", "noopener noreferrer");
 			}
 		}
 
@@ -1249,7 +1251,7 @@
 					</object>";
 			}
 
-			if ($entry) $entry .= "&nbsp; <a target=\"_blank\"
+			if ($entry) $entry .= "&nbsp; <a target=\"_blank\" rel=\"noopener noreferrer\"
 				href=\"$url\">" . basename($url) . "</a>";
 
 			return $entry;
@@ -1260,7 +1262,7 @@
 
 /*		$filename = substr($url, strrpos($url, "/")+1);
 
-		$entry .= " <a target=\"_blank\" href=\"" . htmlspecialchars($url) . "\">" .
+		$entry .= " <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"" . htmlspecialchars($url) . "\">" .
 			$filename . " (" . $ctype . ")" . "</a>"; */
 
 	}
@@ -1332,12 +1334,12 @@
 					$comments_url = htmlspecialchars($line["link"]);
 				}
 				$entry_comments = "<a class=\"postComments\"
-					target='_blank' href=\"$comments_url\">$num_comments ".
+					target='_blank' rel=\"noopener noreferrer\" href=\"$comments_url\">$num_comments ".
 					_ngettext("comment", "comments", $num_comments)."</a>";
 
 			} else {
 				if ($line["comments"] && $line["link"] != $line["comments"]) {
-					$entry_comments = "<a class=\"postComments\" target='_blank' href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
+					$entry_comments = "<a class=\"postComments\" target='_blank' rel=\"noopener noreferrer\" href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
 				}
 			}
 
@@ -1373,7 +1375,7 @@
 				$rv['content'] .= "<div class=\"postDate\">$parsed_updated</div>";
 
 			if ($line["link"]) {
-				$rv['content'] .= "<div class='postTitle'><a target='_blank'
+				$rv['content'] .= "<div class='postTitle'><a target='_blank' rel='noopener noreferrer'
 					title=\"".htmlspecialchars($line['title'])."\"
 					href=\"" .
 					htmlspecialchars($line["link"]) . "\">" .
@@ -1442,13 +1444,13 @@
 
 					$tmp_line = db_fetch_assoc($tmp_result);
 
-					$rv['content'] .= "<a target='_blank'
+					$rv['content'] .= "<a target='_blank' rel='noopener noreferrer'
 						href=' " . htmlspecialchars($tmp_line['site_url']) . "'>" .
 						$tmp_line['title'] . "</a>";
 
 					$rv['content'] .= "&nbsp;";
 
-					$rv['content'] .= "<a target='_blank' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>";
+					$rv['content'] .= "<a target='_blank' rel='noopener noreferrer' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>";
 					$rv['content'] .= "<img title='".__('Feed URL')."' class='tinyFeedIcon' src='images/pub_set.png'></a>";
 
 					$rv['content'] .= "</div>";
@@ -1957,7 +1959,7 @@
 
 				if ($player) array_push($entries_inline, $player);
 
-#				$entry .= " <a target=\"_blank\" href=\"" . htmlspecialchars($url) . "\">" .
+#				$entry .= " <a target=\"_blank\" href=\"" . htmlspecialchars($url) . "\" rel=\"noopener noreferrer\">" .
 #					$filename . " (" . $ctype . ")" . "</a>";
 
 				$entry = "<div onclick=\"openUrlPopup('".htmlspecialchars($url)."')\"
@@ -2005,7 +2007,7 @@
 										src=\"" .htmlspecialchars($entry["url"]) . "\"
 										" . $encsize . " /></p>";
 									} else {
-										$rv .= "<p><a target=\"_blank\"
+										$rv .= "<p><a target=\"_blank\" rel=\"noopener noreferrer\"
 										href=\"".htmlspecialchars($entry["url"])."\"
 										>" .htmlspecialchars($entry["url"]) . "</a></p>";
 									}
diff --git a/plugins/af_psql_trgm/init.php b/plugins/af_psql_trgm/init.php
index 8c92be1a..542cd720 100644
--- a/plugins/af_psql_trgm/init.php
+++ b/plugins/af_psql_trgm/init.php
@@ -85,7 +85,7 @@ class Af_Psql_Trgm extends Plugin {
 				style='vertical-align : middle'>";
 
 			$article_link = htmlspecialchars($line["link"]);
-			print " <a target=\"_blank\" href=\"$article_link\">".
+			print " <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"$article_link\">".
 				$line["title"]."</a>";
 
 			print " (<a href=\"#\" onclick=\"viewfeed({feed:".$line["feed_id"]."})\">".
diff --git a/plugins/share/init.php b/plugins/share/init.php
index 0f8f8fec..a028c057 100644
--- a/plugins/share/init.php
+++ b/plugins/share/init.php
@@ -100,7 +100,7 @@ class Share extends Plugin {
 			$url_path .= "/public.php?op=share&key=$uuid";
 
 			print "<div class=\"tagCloudContainer\">";
-			print "<a id='gen_article_url' href='$url_path' target='_blank'>$url_path</a>";
+			print "<a id='gen_article_url' href='$url_path' target='_blank' rel='noopener noreferrer'>$url_path</a>";
 			print "</div>";
 
 			/* if (!label_find_id(__('Shared'), $_SESSION["uid"]))
-- 
2.39.2